b'Review of PRISM Automated\nProcurement System Support\nContracts\n\n\n\n\n                                             September 30, 2010\n                                             Report No. 486\n Audit Conducted by Regis & Associates, PC\n\x0c                                                 UNITED STATES\n                              SECURITIES AND EXCHANGE COMMISSION\n                                           WASHINGTON, D.C.       20549\n\n\n      OFFICE OF\nIIIISPECTOR GEIllERAl\n\n\n\n\n                                       MEMORANDUM\n                                               September 30,2010\n\n              To;           Sharon Sheehan, Associate Executive Director, Office of\n                             Administrative Services (OAS)\n                            Jeffrey Heslop, Chief Operating Officer (COO), and Acting Chief\n                             Information Officer (CIO), Office of Information Technology (OIT)           ,VJ\n              From:         H. David Kotz, Inspector General, Office of Inspector   Genera~>V~\n              Subject:      Review of PRISM Automated Procurement System Support\n                            Contracts, Report No. 486\n\n              This memorandum transmits the U.S. Securities and Exchange Commission\n              Office of Inspector General\'s (OIG) final report detailing the results of our review\n              of the PRISM automated procurement system support contracts. This review\n              was conducted based on anonymous complaints OIG received regarding\n              procurements relating to the management and integration of PRISM.\n\n              The final report contains five recommendations, which if implemented, should\n              improve the Commission\'s programs and operations. OAS concurred with\n              recommendations 2, 4, and 5 and non-concurred with recommendation 3. The\n              COO/Acting CIO concurred with recommendation 1 which was addressed to OIT.\n              Your written response to the draft report is included in its entirety in Appendix V\n\n              Within the next 45 days, please provide the OIG with a written corrective action\n              plan that is designed to address the agreed recommendations. The corrective\n              action plan should include information such as the responsible official/point of\n              contact, time frames for completing the required actions, milestones identifying\n              how you will address the recommendations cited in this report.\n\n\n\n\n          Review of PRISM Automated Procurement System Support Contracts            September 30, 2010\n          Report No. 486\n                                                         i\n\x0cShould you have any questions regarding this report, please do not hesitate to\ncontact me. We appreciate the courtesy and cooperation that you and your staff\nextended to our staff and contractors.\n\nAttachment\ncc:   Kayla J. Gillan, Deputy Chief of Staff, Office of the Chairman\n      Diego Ruiz, Executive Director, Office of the Executive Director\n      David Becker, General Counsel, Office of General Counsel\n      Jeffrey Risinger, Associate Executive Director, Office of Human\n       Resources\n      Kenneth Johnson, Associate Executive Director, Office of\n        Financial Management\n      Julie Basile, Assistant Director, Office of Administrative Services, Office of\n       Acquisitions\n      George R. Eckard, Assistant Director, Office of Finance and\n       Administration, Office of Information Technology\n\n\n\n\nReview of PRISM Automated Procurement System Support Contracts      September 30, 2010\nReport No. 486\n                                               ii\n\x0cReview of PRISM Automated Procurement\nSystem Support Contracts\n                             Executive Summary\nBackground. The Office of Inspector General (OIG) contracted the services of\nRegis & Associates, PC (Regis), Independent Public Accountants, to conduct a\nreview of the contract administration activities related to the Office of Acquisitions\n(OA) automated procurement system, PRISM.\n\nThe U.S. Securities and Exchange Commission\xe2\x80\x99s (SEC or Commission) Office of\nAdministrative Services (OAS), OA, is responsible for the agency\xe2\x80\x99s contract and\nprocurement activities and processes; while the SEC divisions and offices are\nresponsible for preparing initial procurement requisitions and statements of work.\n\nOver the past several years, OA has unsuccessfully attempted to automate its\nprocurement function. OA has procured two different automated procurement\nsystems (APS) to manage acquisitions, the Procurement Desktop System (PDS),\nand the Strategic Acquisition Manager (SAM). OA discontinued its use of PDS in\n1998, and acquired SAM in 2007. Subsequently, OA discontinued the use of\nSAM in March 2008, due to a variety of system performance issues. In\nSeptember 2008, the SEC acquired an APS named PRISM. PRISM was\nintended to enable OA to accurately track and reconcile SEC\xe2\x80\x99s contracts and\nagreements. PRISM, which was implemented on April 21, 2009, and is\ncommonly referred to as OA\xe2\x80\x99s \xe2\x80\x9ccontract writing tool,\xe2\x80\x9d is a web-based, commercial\noff-the-shelf, procurement and contract management system. PRISM provides a\nstreamlined, end-to-end procurement cycle that integrates and tracks information\nfrom the initiation of a requirement, through its solicitation and award. PRISM\nalso tracks information on contract administration, contract closeout, and\ndocument archive.\n\nContract No. SECHQ1-08-C-8239 was awarded to Virtus Consulting Group, Inc.,\n(Virtus) on August 12, 2008, to provide project support for the implementation of\nPRISM. Task Order No. 0004, under Indefinite Delivery Indefinite Quantity\n(IDIQ) No. SECHQ1-07-D-0320, was awarded to another vendor, Delta\nTechnologies and Solutions, Inc., to perform system coding and technical\nservices related to the integration of PRISM and Momentum, SEC\xe2\x80\x99s financial\naccounting system. The OIG received anonymous complaints regarding the\nprocurements relating to the management and integration of PRISM. This review\nwas initiated as a result of those complaints.\n\nObjectives. The overall objectives were to assess the adequacy of the PRISM\naward and contract administration activities related to the procurement of PRISM,\nand the adequacy of management and implementation of the PRISM project, and\nthe integration services. The specific objectives of the audit were as follows:\nReview of PRISM Automated Procurement System Support Contracts        September 30, 2010\nReport No. 486\n                                               iii\n\x0c    \xe2\x80\xa2   Identify and review all procurement documentation related to the project\n        management and integration support for PRISM;\n\n    \xe2\x80\xa2   Determine whether procurements were properly awarded, in accordance\n        with Federal Acquisition Regulations and SEC policies and procedures;\n\n    \xe2\x80\xa2   Determine the validity of complaints received by the OIG, related to the\n        award of the procurement for the management and integration of PRISM;\n\n    \xe2\x80\xa2   Determine whether there was adequate oversight of PRISM; and\n\n    \xe2\x80\xa2   Review governing Commission policies, guidance, etc., and follow up on\n        prior recommendations to ensure they have been closed and corrective\n        actions were completed.\n\nPrior OIG Audit Report. OIG Report No. 471, Audit of the Office of Acquisitions\xe2\x80\x99\nProcurement and Contract Management Functions, issued September 25, 2009,\ncontained 10 recommendations to strengthen management controls over OA\xe2\x80\x99s\ncontracting and procurement functions.\n\nResults. The audit identified several deficiencies related to PRISM contract\nadministration activities that raise concerns about the future success of the\nPRISM project. Specifically, we found that there were repeated requests made\nto the Office of Information Technology (OIT) for project management support for\nthe project. The Associate Executive Director for the OAS advised OIT that the\nSAM project manager was unable to give the upcoming APS project adequate\ntime and attention and that the level of support was insufficient for the project to\nbe successful. We found that OIT responded that they simply did not have\nenough resources to provide the needed project management support.\n\nFurther, and notwithstanding the negative experiences in the past and the\ncomplexity of the project, the PRISM project continued for over a year without an\nactive OIT project manager.\n\nMoreover, we found that competition was improperly restricted by OAS without\nfollowing proper Federal Acquisition Regulation (FAR) requirements when it\nsolicited and awarded a contract for PRISM project support through the insertion\nof a condition requiring vendor\xe2\x80\x99s employees have a current (or within the past 30\ndays) SEC clearance. We found that this condition effectively precluded outside\ncontractors from bidding on the work. Additionally, email correspondence\nbetween the respective OAS Contracting Officer (CO) and an Office of Financial\nManagement (OFM) employee indicated that OAS had already pre-selected a\ncontractor approximately a week before the solicitation was publicized. This\ncontractor, identified in the CO\xe2\x80\x99s email, was ultimately awarded the contract.\n\n\n\nReview of PRISM Automated Procurement System Support Contracts      September 30, 2010\nReport No. 486\n                                               iv\n\x0cIn addition, we found that there was inadequate segregation of duties in the\nmanagement of the PRISM support contract. Specifically, neither a project\nmanager nor Contracting Officer\xe2\x80\x99s Technical Representative (COTR) was\nappointed for the support contract for at least one year. This resulted in the CO\nassuming these roles and responsibilities during that period.\n\nFurthermore, we noted that a critical deliverable under the PRISM support\ncontract did not meet quality standards. The reconciliation tool developed by the\nvendor did not appear to accurately classify data between PRISM and\nMomentum. This resulted in reconciliation errors which consumed additional\nresources to remedy.\n\nLastly, after we conducted follow-up on prior recommendations in OIG Report\nNo. 471, Audit of the Office of Acquisitions\xe2\x80\x99 Procurement and Contract\nManagement Functions, issued on September 25, 2009, relating to strengthening\nmanagement controls over the contracting and procurement function, we found\nthat 8 of the 10 recommendations remain open.\n\nSummary of Recommendations. Specifically, we recommend that OIT review\nthe adequacy of trained project officers that are available to manage all current\nand anticipated projects. If it is determined that sufficient qualified project officers\nare not available to manage all current and anticipated projects, OIT should\nremedy the situation by either providing an adequate number of qualified\npersonnel, or implementing an alternative process for ensuring oversight of\nprojects.\n\nFurther, we recommend that OAS:\n\n    (1) Issue guidance to staff on the proper use of restrictive clauses in\n        solicitations and the prohibition on pre-selection, and require that\n        applicable requirements in the Federal Acquisition Regulations are\n        followed.\n\n    (2) Implement internal procedures to limit Contracting Officers from also\n        assuming project management and COTR responsibilities on the same\n        project.\n\n    (3) Review existing contracts to ensure that COTRs are assigned for each\n        contract as appropriate.\n\n    (4) Work in conjunction with OFM to evaluate the reconciliation tool discussed\n        in Finding 4 in order to determine, on a cost to benefit basis, whether it\n        would be feasible to correct the deficiencies noted.\n\n\n\n\nReview of PRISM Automated Procurement System Support Contracts         September 30, 2010\nReport No. 486\n                                               v\n\x0cTABLE OF CONTENTS\nExecutive Summary ......................................................................................................iii\n\nTable of Contents ........................................................................................................ vi\n\nBackground and Objectives\n     Background ....................................................................................................... 1\n     Objectives .......................................................................................................... 2\n\nFindings and Recommendations\n     Finding 1: OIT Was Not Actively Involved in Project Management for the\n     Implementation of the PRISM Project ................................................................ 4\n                  Recommendation 1....................................................................... 6\n\n         Finding 2: Full and Open Competition was Restricted in the Solicitation\n         Process .............................................................................................................. 6\n                         Recommendation 2....................................................................... 9\n\n         Finding 3: Contracting Officer Performed Project Management and\n         Contracting Officer Technical Representative Duties on the Project\n         Support Contract .............................................................................................. 10\n                      Recommendation 3..................................................................... 12\n                      Recommendation 4..................................................................... 12\n\n         Finding 4: Tool to Reconcile PRISM and Momentum Contract Information\n         Did Not Meet Quality Standards ....................................................................... 13\n                      Recommendation 5..................................................................... 14\n\nAppendices\n    Appendix I:              Acronyms. .................................................................................. 15\n    Appendix II:             Scope and Methodology ............................................................. 16\n    Appendix III:            Criteria ........................................................................................ 18\n    Appendix IV:             List of Recommendations .......................................................... 19\n    Appendix V:              Management Comments ............................................................ 20\n    Appendix VI:             OIG Response to Management\xe2\x80\x99s Comments............................. 29\n\n\n\n\nReview of PRISM Automated Procurement System Support Contracts                                    September 30, 2010\nReport No. 486\n                                                          vi\n\x0c                    Background and Objectives\n\nBackground\nThe Office of Administrative Services (OAS), Office of Acquisitions (OA) is\nresponsible for the U.S. Securities and Exchange Commission (SEC or\nCommission) procurement and contract activities and processes, which are\ngoverned by the Federal Acquisition Regulation (FAR). While OA oversees the\nprocurement responsibilities, the SEC divisions and offices are responsible for\npreparing initial procurement requisitions and statements of work. OA consists of\nfour primary contracting branches, each of which is headed by a Branch Chief.\nEach branch is staffed with Contracting Officers, Contract Specialists, and\nsupport personnel.\n\nOver the past several years, OA has unsuccessfully attempted to automate its\nprocurement function. Initially, OA utilized the Procurement Desktop System\n(PDS), but discontinued its use in 1998 after finding that the system was\ninadequate to perform necessary procurement functions. OA then acquired the\nStrategic Acquisition Manager (SAM) tool 1 to automate the SEC\xe2\x80\x99s acquisition and\nprocurement process. OA used SAM as its pilot automated procurement system\n(APS) from May 2007 to March 2008. OA discontinued using SAM as a result of\nthe system\xe2\x80\x99s failure to meet its needs and the vendor\xe2\x80\x99s failure to provide trained\nsystem administrators who could fix the system\xe2\x80\x99s problems. OA also\nencountered problems with the interfacing between SAM and Momentum 2 when\nMomentum would occasionally experience problems and shut down. OAS also\nexperienced problems with server equipment not being able to handle the\nvolume of data being sent from Momentum and SAM.\n\nIn September 2008, the SEC acquired PRISM, another APS. OA hopes that\nPRISM will enable it to more accurately track and reconcile SEC\xe2\x80\x99s contracts and\nagreements. PRISM, commonly referred to as OA\xe2\x80\x99s \xe2\x80\x9ccontract writing tool,\xe2\x80\x9d is a\nweb-based, commercial off-the-shelf, procurement and contract management\nsystem. It provides a streamlined end-to-end procurement cycle that integrates\nand tracks information from the initiation of the requirement through solicitation\nand award. It also tracks information on contract administration, contract\ncloseout, and document archive.\n\nThe following procurements were issued relative to the acquisition and\nintegration of PRISM and Momentum:\n\n\n\n\n1\n SAM was a multi-year project that was approved in April 2005 for a total cost of $2,492,371.\n2\n Momentum is the SEC\xe2\x80\x99s financial accounting system.\nReview of PRISM Automated Procurement System Support Contracts                           September 30, 2010\nReport No. 486\n                                                    1\n\x0c    \xe2\x80\xa2   PRISM Phase 1, Software and Support Contract (OA Contract Writing\n        Tool): Compusearch Software Systems, Inc., SECHQ1-08-F-8240,\n        $3,744,582.08, period of performance - September 23, 2008 to present.\n\n    \xe2\x80\xa2   PRISM Phase 1, Project Management Contract (Project Support): Virtus\n        Consulting Group, Inc. (Virtus), SECHQ1-08-C-8239, $1,239,119.20,\n        period of performance - August 12, 2008 to December 10, 2010.\n\n    \xe2\x80\xa2   PRISM Phase 2, (Interface) Integration Support Task Order: Delta\n        Solutions and Technologies, Inc. (Delta), SECHQ1-07-D-0320 Task Order\n        0004, $1,240,061.27, period of performance - February 4, 2009 to July 15,\n        2010.\n\nOn July 21, 2008, SEC posted a solicitation notice to vendors on\nFedBizOpps.gov, to procure project support services for the implementation of an\nAPS. The solicitation required key contractor employees proposed to work on\nthe implementation, to have been cleared to work at the SEC within the past 30\ndays. Although 33 vendors requested the SEC\xe2\x80\x99s Request for Proposal, only one\nvendor, Virtus Consulting Group, Inc. (Virtus) submitted a bid. After a review by\na technical evaluation panel, this one offer was accepted, and a contract was\nawarded to Virtus, on August 12, 2008, for project support related to the PRISM\nimplementation in the amount of $600,000.\n\nOn January 7, 2009, the SEC\xe2\x80\x99s Project Review Board approved a project related\nto the integration of PRISM and Momentum. Subsequently, on February 20,\n2009, OAS awarded Task Order 0004 to Delta Solutions and Technologies, Inc.\nunder Indefinite Delivery Indefinite Quantity (IDIQ) SECHQ1-07-D-0320, in the\ninitial amount of $586,386 to perform coding and technical services related to the\nintegration.\n\nThe Office of Inspector General (OIG) received anonymous complaints regarding\nthe procurements relating to the management and integration of the PRISM.\nThis audit was initiated as a result of those complaints.\n\nObjectives\nThe overall objectives were to assess the adequacy of the PRISM award and\nrelated contract administration activities and assess the management and\nimplementation of the PRISM project and the integration services. The specific\nobjectives were as follows:\n\n    1) Identify and review all procurement documentation related to project\n       management and integration support for PRISM;\n    2) Determine whether procurements were properly awarded, in accordance\n       with Federal Acquisition Regulations and SEC policies and procedures;\n\nReview of PRISM Automated Procurement System Support Contracts    September 30, 2010\nReport No. 486\n                                               2\n\x0c    3) Determine the validity of complaints received by the OIG, related to the\n       award of the procurements for the management and integration of PRISM;\n    4) Determine whether there was adequate oversight of PRISM; and\n    5) Review governing Commission policies, guidance, etc., and follow up on\n       prior recommendations to ensure that they have been closed, and that\n       corrective actions were completed.\n\n\n\n\nReview of PRISM Automated Procurement System Support Contracts   September 30, 2010\nReport No. 486\n                                               3\n\x0c               Findings and Recommendations\n\nFinding 1: OIT Was Not Actively Involved in\nProject Management for the Implementation\nof the PRISM Project\n         The Office of Information Technology (OIT) was not actively\n         engaged in project management of the PRISM\n         implementation and integration project for over a year,\n         despite OAS\xe2\x80\x99 request for full-time OIT project management\n         support prior to the start of the project. 3\n\nOIT Did Not Adequately Provide Project Management\nThe Office of Management and Budget (OMB) A-109, Major System Acquisitions,\nSection 8- Management Structure, states, in part:\n\n         b. Each agency that acquires -- or is responsible for activities\n         leading to the acquisition of -- major systems will establish\n         clear lines of authority, responsibility, and accountability for\n         management of its major system acquisition programs.\n\nOver the past several years, OA unsuccessfully tried to automate its procurement\nfunction. OAS procured two different APS\xe2\x80\x99s to track acquisitions, PDS and SAM.\nAfter OAS discontinued the use of SAM in March 2008, OAS acquired PRISM in\nSeptember 2008. PRISM is a web-based, commercial off-the-shelf procurement\nand contract management system that provides a streamlined end-to-end\nprocurement cycle that integrates and tracks information from the initiation of the\nrequirement through the solicitation and award process. PRISM also tracks\ninformation on contract administration, contract closeout and document archive.\nThe scope of the PRISM project not only included implementation of the actual\nsystem, but also included the award of two related contracts for project support\nand integration work. 4\n\nBased on lessons learned from the failure of SAM, OAS recognized the necessity\nof having a full-time project manager with a strong information technology (IT)\nbackground during the acquisition and implementation of a procurement system.\n\n3\n  While OIT did not have resources to assign a full-time project manager, OIT maintains that two\nknowledgeable project managers were assigned to assist OA with the IT-related aspects of the initial PRISM\nimplementation and subsequent initiative to integrate PRISM with Momentum prior to OIT assuming the role\nof overall project manager in December 2009.\n4\n  The PRISM project consists of two distinct phases. Phase 1 was to field the PRISM system in OA as a\ncontract writing tool. Phase 2, which is still ongoing, is meant to interface PRISM with the Commission\xe2\x80\x99s\nfinancial management system.\nReview of PRISM Automated Procurement System Support Contracts                             September 30, 2010\nReport No. 486\n                                                     4\n\x0cTherefore, in May 2008, approximately four months prior to acquiring its third\nprocurement system, the Associate Executive Director (AED) for OAS requested\nOIT provide more project management resources for the upcoming PRISM\nproject.\n\nMore specifically, on May 21, 2008 the AED OAS sent an email to the Assistant\nDirector of Finance and Administration for OIT, indicating that she had made\nrepeated requests to OIT for project management support for the past two years.\nThe AED OAS further stated that the SAM project manager was unable to give\nthe project adequate time and attention and was \xe2\x80\x9cspread across too many\nprojects.\xe2\x80\x9d In addition, the AED OAS stated that the current level of support for\nthe upcoming APS project \xe2\x80\x9csimply isn\xe2\x80\x99t enough for a project of this complexity to\nbe successful.\xe2\x80\x9d Moreover, the AED OAS noted that the amount of effort was\nconsidered inadequate when benchmarked against a U.S. Army project that she\nprocured which was similar in nature and complexity. A similar system\nimplementation at the U.S. Army involved the full-time efforts of a GS-14 IT\nproject officer, and two GS-13 IT junior project officers, and did not involve\nintegration with the U.S. Army\xe2\x80\x99s financial system. The AED OAS stated that OIT\nrepresentatives explained on a number of occasions that they simply didn\xe2\x80\x99t have\nenough resources to provide the needed project management support. OIT,\nhowever, never formally responded to OAS\xe2\x80\x99 request for more project\nmanagement resources for PRISM.\n\nNotwithstanding the negative experiences in the past and the complexity of the\nproject, the implementation of PRISM (Phase 1) and its integration with\nMomentum (Phase 2) commenced and continued for over a year without an\nactive OIT project manager. In December 2009, OIT senior management\nbecame concerned with the direction of the integration project and as a result, an\nindividual designated by OIT as the project manager 5 became actively involved\nin the project.\n\nAdditionally, while OIT maintains that Virtus, a contractor hired by OAS to\nperform project support (see Finding 2), was considered to be and functioned as\nthe project manager for the APS project, the contractor\xe2\x80\x99s contract with the SEC\nspecifically precluded the contractor from performing program management or\ntechnical implementation. 6 Further, there is no documentation to support the\nassertion that OIT complied with the provisions of its own Operating Directive,\nOD 24-02.04, IT Project Manager Qualification Standards, dated May 30, 2006,\nwhich requires OIT to demonstrate that vendor project managers performing\nproject management duties possess appropriate qualifications in accordance with\nSEC and OMB guidance. Accordingly, there was a lack of clearly defined lines of\n\n\n5\n  In August 2008, OIT sent an email to OAS stating that an OIT employee would be \xe2\x80\x9clisted\xe2\x80\x9d as the APS\nprogram manager; however, this individual was not actively involved in the project due to competing\npriorities.\n6\n  Contract No. SECHQ1-08-C-8239, Section C: Description/Specifications/Statement of Work, C.1.0 Scope,\nstates that \xe2\x80\x9cThis support does not include program management or technical implementation.\xe2\x80\x9d\nReview of PRISM Automated Procurement System Support Contracts                           September 30, 2010\nReport No. 486\n                                                    5\n\x0cauthority, responsibility, and accountability related to project management of\nPRISM.\n\nThe value of the two PRISM support contracts we reviewed as part of this audit,\ndoubled since the inception of the contracts. Specifically, SECHQ1-08-C-8239,\nVirtus increased from $600,000 to $1,239,119 and SECHQ1-07-D-0320, Task\nOrder 0004, increased from $586,386 to $1,041,061. Had an OIT project\nmanager been actively involved in Phases 1 and 2, issues resulting in contract\nincreases may have been avoided.\n\nThe Commission\xe2\x80\x99s apparent lack of sufficient resources to adequately manage\nthe PRISM project, in our opinion, raises serious concerns about the viability of\nthe project going forward. The SEC also may have received services that were\nnot adequate for the purposes for which they were ordered. Moreover, we are\nconcerned that the problem with lack of project management support with PRISM\nmay be indicative of a systemic problem with other major IT investments.\n\n        Recommendation 1:\n\n        The Office of Information Technology (OIT) should review the adequacy of\n        trained project officers that are available to manage all current and\n        anticipated projects. If it is determined that sufficient qualified project\n        officers are not available to manage all current and anticipated projects,\n        OIT should remedy the situation by either providing an adequate number\n        of qualified personnel, or implementing an alternative process for ensuring\n        oversight of the projects.\n\n        Management Comments. The COO/Acting CIO concurred with this\n        recommendation. See Appendix V for management\xe2\x80\x99s full comments.\n\n        OIG Analysis. We are pleased that the COO/Acting CIO concurred with\n        this recommendation.\n\nFinding 2: Full and Open Competition was\nRestricted in the Solicitation Process\n        OAS issued a solicitation to obtain contractor project support\n        for PRISM that included an unusually restrictive condition\n        requiring contractor key personnel to have current security\n        clearances with the SEC, or be cleared by the SEC within\n        the past 30 days.       Additionally, email correspondence\n        between the respective OAS Contracting Officer (CO) and\n        an Office of Financial Management (OFM) employee\n        indicated that OAS had already pre-selected a contractor\n        approximately one week before the solicitation was\nReview of PRISM Automated Procurement System Support Contracts      September 30, 2010\nReport No. 486\n                                               6\n\x0c        publicized. As a result, outside contractor sources were\n        effectively precluded from bidding on the contract and full\n        and open competition was restricted.\n\nFull and Open Competition was Restricted By a Condition\nAdded to the Solicitation\n\nBecause OIT was unable to provide the project management support OAS\nrequested in May 2008, OAS decided to obtain contractor project support.\nHowever, in doing so, they issued a solicitation that was unnecessarily restrictive\nand effectively precluded competition from outside contractor sources.\n\nThe FAR Part 6.101, Full and Open Competition\xe2\x80\x94Policy, states that with\ncertain limited exceptions, contracting officers shall promote and provide\nfor full and open competition in soliciting offers (emphasis added) and\nawarding Government contracts, and contracting officers shall provide for\nfull and open competition through use of the competitive procedures that\nare best suited to the circumstances of the contract action and consistent\nwith the need to fulfill the Government\xe2\x80\x99s requirements efficiently.\n\nAdditionally, the FAR, Subpart 5.2, Synopses of Proposed Contract\nActions, \xc2\xa7 5.207, Preparation and transmittal of synopses, Paragraph c,\nrequires that notices of proposed contract actions contain a clear and\nconcise description of the supplies or services that is not unnecessarily\nrestrictive of competition and will allow a prospective offeror to make an\ninformed business judgment as to whether a copy of the solicitation should\nbe requested.\n\nOn July 21, 2008, a solicitation for PRISM project support services was\npublicized in FedBizOpps.gov, with an August 5, 2008 due date for technical and\nprice proposals. OAS sought to obtain a contractor to provide project support\nwith the functional aspects of pre-deployment planning, deployment, and post\ndeployment for PRISM. 7\n\nPart C.1.1 of the solicitation, Background, stated that \xe2\x80\x9cto take advantage of\nlessons learned, and to increase our chance of success, the SEC seeks an\nexperienced and knowledgeable project support contractor to assist with\nestablishing the procurement requirements and implementing an APS that has\nbeen proven in the Federal Sector. The Contractor shall also be knowledgeable\nin SEC systems, especially Momentum Financials and with SEC processes and\nworkflows, in order to be effective immediately upon award of a contract.\xe2\x80\x9d\nIn addition, Part C.3.0 of the solicitation, Requirements, contained conditions that\nvendors were required to meet in order to receive consideration. Specifically, the\nsolicitation stated that \xe2\x80\x9cThe Contractor\xe2\x80\x99s employees shall have a current (or\n7\n Project support was intended for Phase 1 of PRISM only (fielding the system as a contract writing tool in\nOA).\nReview of PRISM Automated Procurement System Support Contracts                        September 30, 2010\nReport No. 486\n                                                    7\n\x0cwithin the past 30 days) SEC clearance to minimize the amount of time to be on\nsite and begin work.\xe2\x80\x9d Further, a letter addressed to potential offerors, which was\nattached to the solicitation, stated \xe2\x80\x9cThe SEC invites all offerors who meet the\nrequirements and constraints of this solicitation to propose, but please seriously\nconsider not proposing if you have no one who qualifies.\xe2\x80\x9d\n\nThe solicitation limited competition by excluding vendors who were not currently\ncleared to work at the SEC and were not knowledgeable about its systems and\nprocesses. We found that there was substantial interest in the project as 33\nvendors contacted OAS to obtain a copy of the combined synopsis and\nsolicitation publicized on FedBizOpps.gov. However, upon close of the\nsolicitation on August 5, 2008, only one vendor responded with a proposal likely\nbecause of the conditions in the solicitation, including the requirement that the\ncontractor\xe2\x80\x99s employees have a current SEC clearance.\n\nFurther, we found email correspondence in the contract file, dated July 14, 2008\n(seven days before the release of the aforementioned solicitation), containing\nimproper communications between an OAS CO and a representative from OFM\nregarding the potential selection of a then-current SEC contractor to serve as a\nproject manager for APS. In this July 14, 2008 email, sent by the CO to the OFM\nrepresentative, containing the subject line \xe2\x80\x9cProcurement system status,\xe2\x80\x9d the CO\nstated that it may be best to delay a meeting because \xe2\x80\x9cwe are hiring a project\nmanager (i.e.,              ) to assist with the acquisition and implementation.\nWhen the PM is hired . . . .\xe2\x80\x9d The email further stated, \xe2\x80\x9cRight now nothing is\nhappening on the APS acquisition; I\xe2\x80\x99m trying to prepare the solicitation for the PM\nsupport.\xe2\x80\x9d Incredibly, the email identified the name of the contractor that OAS\nintended to hire a week before the solicitation was released to the public. This\nemail, coupled with the extremely restrictive solicitation provision demonstrates\npotential evidence of the improper pre-selection of the project manager. In\nAugust 2008, OAS awarded the contract to the contractor specified in the CO\xe2\x80\x99s\nJuly 14, 2008 email.\n\nDuring an interview Regis held with the AED OAS on July 29, 2010, she\nexplained the reasoning behind the decision to include the restrictive clause in\nthe solicitation regarding the security clearance by stating that during the period\nthe contract was awarded, it took one year, at a minimum, for contractors to\nobtain the necessary security clearances at the SEC. The AED OAS also stated\nthat due to these time requirements, as well as the fact that no in-house project\nofficers were provided by OIT, the provision requiring current clearances had to\nbe inserted into the solicitation. In addition, the AED OAS acknowledged that\nshe reviewed the solicitation and authorized the clause requiring that only\nvendors with currently cleared personnel should respond to the solicitation.\nHowever, it should be noted that the contract file did not contain any justifications\nfor OAS\xe2\x80\x99 decisions.\n\n\n\nReview of PRISM Automated Procurement System Support Contracts       September 30, 2010\nReport No. 486\n                                               8\n\x0cSubsequently, in August 2010, a personnel security specialist in the SEC\xe2\x80\x99s\nPersonnel Security Branch informed OIG that although there was a back log of\nclearances that needed to be adjudicated in 2008, interim clearances were\ngranted to individuals coming to work at the SEC who had no criminal record in\nseven to ten business days. If a person had a criminal record, it could take an\nadditional two to three weeks longer to adjudicate the clearance. The personnel\nsecurity specialist informed OIG that full clearances were typically granted within\n90-days of the initial submission.\n\nWe determined that the inclusion of restrictive clauses in the solicitation and the\nCO\xe2\x80\x99s July 14, 2008 email correspondence have the appearance that the results\nof the bid was predetermined and it was not awarded fairly as was alleged in a\ncomplaint the OIG received. Consequently, these findings raise concerns about\nmanagement controls within OAS to ensure adherence to applicable FAR\nrequirements regarding promoting full and open competition. Additionally, the\nCommission may not have received the best value for the services procured.\nFurther, we found that the original contract was awarded to Virtus on August 12,\n2008 in the amount of $600,000, but as a result of six modifications, the contract\namount has more than doubled and is currently valued at $1,239,119. 8\nAdditionally, we found that the period of performance under the contract was also\nextended.\n\n         Recommendation 2 9 :\n\n         The Office of Administrative Services should issue guidance to staff\n         on the proper use of restrictive clauses in solicitations and the\n         prohibition on pre-selection, and require that applicable\n         requirements in the Federal Acquisition Regulations are followed.\n\n         Management Comments. OAS concurred with this\n         recommendation. See Appendix V for management\xe2\x80\x99s full\n         comments.\n\n         OIG Analysis. We are pleased that OAS concurred with this\n         recommendation. We do note that OAS in its response stated that\n         they strongly disagreed with the finding that competition was\n         restricted inappropriately. The facts of this solicitation are not in\n         dispute. A restrictive condition was added to the solicitation for a\n         project manager requiring a current SEC clearance that resulted in\n         only one vendor submitting a proposal after 33 vendors had\n\n8\n  The modifications included additional funding related to internal control support, technical writing and\ndocumentation services, additional project support due to reclassification of PRISM as a mixed financial\nsystem, and data migration services.\n9\n  The Office of Inspector General is simultaneously issuing a Memorandum Report, referring the evidence\ncontained in this finding to the Executive Director, Associate Executive Director for Human Resources and\nthe General Counsel for appropriate disciplinary action for the senior level personnel who were responsible\nfor the improper pre-selection.\nReview of PRISM Automated Procurement System Support Contracts                             September 30, 2010\nReport No. 486\n                                                     9\n\x0c        expressed interest in the proposal. This one vendor was identified\n        by name in an e-mail as the project manager being hired a week\n        before the solicitation was released to the public.\n\nFinding 3: Contracting Officer Performed\nProject Management and Contracting Officer\nTechnical Representative Duties on the\nProject Support Contract\n        The OAS CO for the project support contract discussed in Finding 2\n        also assumed the roles and responsibilities of a project manager\n        and Contracting Officer\xe2\x80\x99s Technical Representative (COTR) for\n        about one year from the inception of the contract. Additionally, the\n        CO approved the first 10 vendor invoices under this contract and\n        reviewed and accepted contract deliverables, though it appears this\n        individual lacked the technical competence needed to ensure the\n        deliverables met the contract requirements.\n\nNo COTR or Project Manager Was Initially Appointed to\nManage the Contract\nWe found that the CO for one of the PRISM support contracts also served\nas the COTR and this individual did not appear to have the technical\nqualifications or time to fulfill this role. Contract Number SECHQ1-08-C-\n8239, was awarded to Virtus to provide project support for the\nimplementation of PRISM. The respective OAS CO did not appoint a\nCOTR for this contract from its August 12, 2008 inception to August 17,\n2009. The contract, Section G - Contract Administration Data, Subsection\nG.1, Appointment of Contracting Officer\xe2\x80\x99s Technical Representative,\nstated that a COTR would not be appointed for the award and that the CO\nwould perform the duties of a COTR such as inspecting, reviewing, and\naccepting deliverables and services. However, the deliverables for this\ntype of contract are of an inherently technical nature and require approval\nby an individual with appropriate technical competencies. The\ndeliverables included an internal controls reconciliation report, disaster\nrecovery plan, system security plan, privacy analysis worksheet, business\nimpact analysis, and communication plan.\n\nBased on information gathered in interviews with the CO, we do not\nbelieve this individual possessed the necessary technical competencies or\nadequate time to monitor a contract of this complexity and size. The CO\xe2\x80\x99s\nknowledge and experience was primarily in procurement administration\nand management, while the subject contract required IT requirement\ndevelopment and project management experience. Additionally, as\nReview of PRISM Automated Procurement System Support Contracts     September 30, 2010\nReport No. 486\n                                              10\n\x0cdiscussed in Finding 1, there was a lack of OIT project management for\nthe overall PRISM project, including at the inception of this contract for\nproject support.\n\nSEC Regulation 10-15 (November 4, 2004 revision) requires that in order to be\nappointed as a COTR, an individual must \xe2\x80\x9cpossess at the time of the nomination\nthe technical background, experience necessary, and Federal Acquisition\nCertification COTR certification specified in this Directive, and shall be\nknowledgeable about the services for which the COTR responsibilities are\nassigned.\xe2\x80\x9d Furthermore, SEC Regulation 10-15 requires the CO to carefully\nconsider the complexity and dollar value of the contract and appoint a COTR\nbased on the results. Contract Number SECHQ1-08-C-8239 was a complex\ncontract, with a final dollar value in excess of $1.2 million. In addition, a\nwidespread and standard practice in the implementation of software related\nprojects is the designation of a project manager, who typically has information\ntechnology experience, as well as project management experience.\nConsequently, we believe that OAS\xe2\x80\x99 decision to appoint the CO as the COTR\nwas contrary to the intent of SEC\xe2\x80\x99s internal policies and procedures, as well as\nstandard industry practice. Additionally, this put the SEC at risk of accepting\ndeliverables that may not have been in accordance with the contract or in the\nbest interest of the project. 10\n\nWe also found that the CO approved the first 10 invoices for the subject\ncontract, though the contract terms and conditions specifically prohibited\nthe CO from approving invoices. During the period covered by our scope,\n20 invoices were received and payments were made to Virtus. These\ninvoices totaled approximately $1 million, and covered the period October\n8, 2008 to May 12, 2010. Of this amount, $578,013 represented\npayments on the first 10 invoices that were approved by the CO. Section\nG - Contract Administration Data, Subsection G.2, Submission of Invoices,\nstates that \xe2\x80\x9cthe CO will not approve invoices.\xe2\x80\x9d This contract clause\nprovides for segregation of duties between the CO and an individual\ndesignated to review invoices, such as the COTR.\n\nBased on discussions with the AED OAS, we were informed that the CO\nassumed the roles and responsibilities of a project manager and COTR for\nthe first year of the contract because of a lack of adequate project\nmanagement support from OIT. Finally, in December, 2009, the situation\nwas remedied when OIT became more actively involved in Phase 2 of the\nPRISM project.\n\nAs a result of the condition noted above, there is a risk that SEC may have\nreceived services or deliverables that were not adequate for the purposes\nfor which they were ordered. For example, in Finding 4, we found that a\n\n10\n  While OAS maintains that the CO coordinated with subject matter experts in OFM and OIT prior to\naccepting deliverables, we found that these efforts were not appropriately documented.\nReview of PRISM Automated Procurement System Support Contracts                         September 30, 2010\nReport No. 486\n                                                  11\n\x0creconciliation tool developed by Virtus to reconcile contract information\nentered into PRISM and Momentum did not meet contract requirements.\n\n        Recommendation 3:\n\n        To ensure duties are segregated, the Office of Administrative Services\n        should implement internal procedures to limit Contracting Officers from\n        also assuming project management and Contracting Officer\xe2\x80\x99s Technical\n        Representative\xe2\x80\x99s responsibilities on the same project.\n\n        Management Comments. OAS did not concur with this recommendation.\n        See Appendix V for management\xe2\x80\x99s full comments.\n\n        OIG Analysis. We are disappointed that OAS did not concur with\n        this recommendation and encourage them to reconsider. We do\n        not believe it is disputable that the contracting officer did not posses\n        the necessary technical competencies or experience to monitor this\n        project and that there was a lack of project management support for\n        the project as well. Lack of resources is not an appropriate\n        justification for failing to properly manage a multi-million dollar\n        project. Segregation of duties is a critical method of ensuring that\n        there is accountability and proper management in a project. The\n        recommendation that OAS implement procedures to \xe2\x80\x9climit\xe2\x80\x9d\n        contracting officers (not \xe2\x80\x9crestrict\xe2\x80\x9d as claimed in the Management\n        response) from assuming certain project management duties is a\n        prudent and appropriate step to take to ensure that SEC projects\n        are managed more efficiently in the future.\n\n        Recommendation 4:\n\n        The Office of Acquisitions should review existing contracts to ensure that\n        Contracting Officer\xe2\x80\x99s Technical Representatives are assigned for each\n        contract, as appropriate.\n\n        Management Comments. OAS concurred with this recommendation.\n        See Appendix V for management\xe2\x80\x99s full comments.\n\n        OIG Analysis. We are pleased that OAS concurred with this\n        recommendation.\n\n\n\n\nReview of PRISM Automated Procurement System Support Contracts        September 30, 2010\nReport No. 486\n                                              12\n\x0c    Finding 4: Tool to Reconcile PRISM and\n    Momentum Contract Information Did Not Meet\n    Quality Standards\n        The reconciliation tool developed by Virtus to reconcile contract\n        information entered into PRISM and Momentum did not meet\n        contract requirements. This reconciliation tool does not accurately\n        classify data between PRISM and Momentum, thus resulting in\n        reconciliation errors. Also, the reconciliation errors generated\n        require the use of in-house resources to investigate them.\n\nA Critical Deliverable Under the Contract Did Not Meet\nQuality Standards\n\nOne of the critical deliverables, under Contract Number SECHQ1-08-C-\n8239, was a tool to reconcile PRISM and Momentum. This reconciliation\nwas necessary because PRISM and Momentum have not yet been\nintegrated, and contract data is being entered into both systems manually.\nHowever, the reconciliation tool does not appear to accurately classify\ndata between the systems, thus resulting in reconciliation errors.\nSpecifically, there are differences between the data fields used for\nentering information into PRISM and Momentum. These differences are\nincorrectly classified as errors on the reconciliation reports, i.e., false\npositives.\n\nThe Statement of Work for Modification P00001 to Contract Number\nSECHQ1-08-C-8239 states, \xe2\x80\x9cThe Contractor shall provide an accurate,\noperational, and reliable reconciliation report that can be run nightly to\nreconcile that day\xe2\x80\x99s entries in Momentum Financials and in PRISM. The\nreport must generate and maintain an error log of discrepancies between\nthe two extracts.\xe2\x80\x9d\n\nWe found that the internal logic used in the reconciliation tool was not fully\ndeveloped to account for the inherent differences between the data fields\nfor contract information entered into PRISM and Momentum. As a result,\nitems, incorrectly classified as errors, have accumulated on the\nreconciliation error log, and an inordinate amount of time has been spent\nby SEC staff in determining that these items were not actual errors. In\naddition, because the reports generated by this reconciliation tool cannot\nbe completely relied upon, there is currently no assurance that the entries\nin Momentum accurately reflect the contracts that were written through\nPRISM.\n\n\n\nReview of PRISM Automated Procurement System Support Contracts       September 30, 2010\nReport No. 486\n                                              13\n\x0c        Recommendation 5:\n\n        The Office of Administrative Services (OAS), in conjunction with the Office\n        of Financial Management, should evaluate the reconciliation tool in order\n        to determine, on a cost to benefit basis, whether it would be feasible to\n        correct the deficiencies noted. OAS should then decide whether the\n        corrections should be performed by Commission personnel, or by\n        technically competent contractor personnel.\n\n        Managements Comments. OAS concurred with this recommendation.\n        See Appendix V for management\xe2\x80\x99s full comments.\n\n        OIG Analysis. We are pleased that OAS concurred with this\n        recommendation.\n\n\n\n\nReview of PRISM Automated Procurement System Support Contracts      September 30, 2010\nReport No. 486\n                                              14\n\x0c                                                                          Appendix I\n\n\n                                      Acronyms\n\nAED                             Associate Executive Director\nAPS                             Automated Procurement System\nCO                              Contracting Officer\nCOTR                            Contracting Officer\xe2\x80\x99s Technical Representative\nFAR                             Federal Acquisition Regulations\nIDIQ                            Indefinite Delivery Indefinite Quantity\nIT                              Information Technology\nOA                              Office of Acquisitions\nOAS                             Office of Administrative Services\nOFM                             Office of Financial Management\nOIG                             Office of Inspector General\nOIT                             Office of Information Technology\nPDS                             Procurement Desktop System\nSAM                             Strategic Acquisition Manager\nSEC or Commission               U.S. Securities and Exchange Commission\n\n\n\n\nReview of PRISM Automated Procurement System Support Contracts        September 30, 2010\nReport No. 486\n                                              15\n\x0c                                                                       Appendix II\n\n\n                      Scope and Methodology\n\nScope. We obtained the contract files for Contract Number SECHQ1-08-C-8239\nawarded to Virtus, and Task Order 0004 for IDIQ SECHQ1-07-D-0320 awarded\nto Delta Solutions and Technologies, Inc. We obtained documentation detailing\nthe history of the implementation of PRISM; and the progress to date, of the\nintegration of PRISM and Momentum, such as meeting minutes from the Project\nReview Board and the Information Officers\xe2\x80\x99 Council. This information provided\nus with an understanding of the implementation process for PRISM and its\nintegration with Momentum, and identified individuals who were instrumental in\nthe process. We obtained Obligation History Reports, listing the invoices\nreceived from both Virtus and Delta Solutions and Technologies, Inc., and the\nsupporting invoices.\n\nWe conducted our fieldwork from June 2010 to August 2010. We reviewed\ndocumentation related to the implementation of PRISM, which began in August,\n2008, and was completed in April, 2009, and the integration of PRISM and\nMomentum, which began in February, 2009 and is still ongoing.\n\nMethodology. To meet the objectives to assess the adequacy of the PRISM\naward and contract administration activities related to the procurement of PRISM\nand the management and implementation of the PRISM project and integration\nservices, as well as our other specific objectives Regis:\n\n        \xe2\x80\xa2   Identified all of the procurement documentation related to project\n            management and integration support for PRISM. We obtained and\n            reviewed the contract files for Contract Number SECHQ1-08-C-8239\n            awarded to Virtus, and Task Order Number 0004 for IDIQ SECHQ1-\n            07-D-0320 awarded to Delta Solutions and Technologies, Inc.\n        \xe2\x80\xa2   Gained access to documentation detailing the history of the\n            implementation of PRISM; and the progress, to date, of the integration\n            of PRISM and Momentum.\n        \xe2\x80\xa2   Reviewed this documentation to gain an understanding of how the\n            contracts were awarded, and whether there were any FAR violations.\n        \xe2\x80\xa2   Obtained a listing of all contractor invoices received from and paid to\n            Virtus and Delta Solutions and Technologies, Inc.\n        \xe2\x80\xa2   Conducted interviews with personnel from OA, OFM, and OIT, who\n            were associated with the acquisition or implementation of PRISM, or\n            the integration of PRISM and Momentum.\n        \xe2\x80\xa2   Obtained and reviewed relevant SEC regulations and policies, and\n            determined whether there was compliance with these policies.\n\nInternal or Management Controls. Our review of the contract files for the\nPRISM and Delta awards included gaining an understanding of internal controls\nReview of PRISM Automated Procurement System Support Contracts      September 30, 2010\nReport No. 486\n                                              16\n\x0c                                                                    Appendix II\n\nover the contracting process, as required by FAR and by SEC regulations. We\nnoted whether there was adherence to these controls.\n\nPrior Audit Coverage. Our fieldwork included determining whether\nrecommendations set forth in OIG Report No. 471, Audit of the Office of\nAcquisitions Procurement and Contract Management Functions, September 25,\n2009, were implemented.\n\n\n\n\nReview of PRISM Automated Procurement System Support Contracts   September 30, 2010\nReport No. 486\n                                              17\n\x0c                                                                     Appendix III\n\n\n                                         Criteria\n\nFederal Acquisition Regulation. Establishes uniform policies and procedures\nfor acquisition by all executive agencies. The latest revision became effective on\nJuly 23, 2010.\n\nSEC Regulation 10-15. (Revised November 4, 2004) Discusses roles and\nresponsibilities of Contracting Officers\xe2\x80\x99 Technical Representatives and Inspection\nand Acceptance Officials.\n\nContract SECHQ1-08-C-8239. Issued August 12, 2008, contains provisions\ngoverning contractor performance, and specifying roles of the SEC Contracting\nOfficer.\n\nModification P00001 of Contract SECHQ1-08-C-8239. Issued June 4, 2009,\ncontains provisions governing contractor performance, and specifying roles of the\nSEC Contracting Officer.\n\nOMB Circular A-109, Major System Acquisitions. Establishes policies to be\nfollowed by executive branch agencies in the acquisition of major systems.\n\n\n\n\nReview of PRISM Automated Procurement System Support Contracts     September 30, 2010\nReport No. 486\n                                              18\n\x0c                                                                       Appendix IV\n\n\n                       List of Recommendations\n\nRecommendation 1:\n\nThe Office of Information Technology (OIT) should review the adequacy of\ntrained project officers that are available to manage all current and anticipated\nprojects. If it is determined that sufficient qualified project officers are not\navailable to manage all current and anticipated projects, OIT should remedy the\nsituation by either providing an adequate number of qualified personnel, or\nimplementing an alternative process for ensuring oversight of the projects.\n\nRecommendation 2:\n\nThe Office of Administrative Services should issue guidance to staff on the\nproper use of restrictive clauses in solicitations and the prohibition on pre-\nselection, and require that applicable requirements in the Federal\nAcquisition Regulations are followed.\n\nRecommendation 3:\n\nTo ensure duties are segregated, the Office of Administrative Services should\nimplement internal procedures to limit Contracting Officers from also assuming\nproject management and Contracting Officer\xe2\x80\x99s Technical Representative\xe2\x80\x99s\nresponsibilities on the same project.\n\nRecommendation 4:\n\nThe Office of Acquisitions should review existing contracts to ensure that\nContracting Officer\xe2\x80\x99s Technical Representatives are assigned for each contract,\nas appropriate.\n\nRecommendation 5:\n\nThe Office of Administrative Services (OAS), in conjunction with the Office of\nFinancial Management, should evaluate the reconciliation tool in order to\ndetermine, on a cost to benefit basis, whether it would be feasible to correct the\ndeficiencies noted. OAS should then decide whether the corrections should be\nperformed by Commission personnel, or by technically competent contractor\npersonnel.\n\n\n\n\nReview of PRISM Automated Procurement System Support Contracts       September 30, 2010\nReport No. 486\n                                              19\n\x0c                                                                                         Appendix V\n\n\n                          Management Comments\n\n\n                                           MEMORANDUM\n                                           September 24, 2010\n\n\n\n\n      TO:           H. David Kotz\n                    Inspector General\n\n      FROM:         Sharon Sheehan      ~ ft ,J..\n                    Associate Executive Director\n                    Office of A d\'s7tiveS\n                                        l E :.\'es\n                    Jeffery Heslop\n                    ChiefOperating    cer and\n                    Acting ChiefInfOrmation Officer\n\n      SUBJECf:      OAS Management Response to Draft Report No.     486~   Review ofPRISM\n                     Automated Procurement System Support Contracts\n\n\n      This memorandum is in response to the Office of Inspector General\'s Draft Report No. 486,\n      Review ofPRISMAutomated Procurement System Support Contracts. Thank you for the\n      opportunity to review and respond to this report. OIT concurs with recommendation I, and OAS\n      concurs with recommendations 1,2,4 and 5. OAS does not concur with recommendation 3. We\n      have coordinated our response with the Office ofGeneral Counsel and have provided detailed\n      response information for the findings and reco11UDendations presented in the report.\n\n\n\n\n      Cc:    David Becker, OOC\n             Diego Ruiz, ED\n             Ken Johnson, CFO\n             Kayla Gillan. OOC\n             Julie Basile, OA\n             Zayra Okrak, OFM\n             George Eckard, OIT\n             George Brown, OOC\n\n\n\n                                                    1\n\n\n\n\nReview of PRISM Automated Procurement System Support Contracts                       September 30, 2010\nReport No. 486\n                                                  20\n\x0c                                                                                                     Appendix V\n\n      Introduction\n\n\n\n      Draft Audit Report 486 (Report) addresses the Office ofAcquisition\'s (OA) automation ofits\n      procurement function, and states that the findings identified in the Report "raise concerns about\n      the future success ofthe PRISM project." Management firmly believes that the PRISM project as\n      a whole has been successful and will continue to succeed. The PRISM project will evolve and\n      provide business process improvements as we fully implement the capabilities ofthe system\n      PRISM is proving to be a successful tool for OA. This fiscal year 886 total contract actions were\n      processed in PRISM representing $110.3 million.\n\n      While the Report offers some helpful suggestions, we are concerned that the Report overall is\n      inaccurate or reaches unsupported conclusions in a number ofrespects. Some ofthe findings in\n      the Report are based on improper interpretation ofcomplex issues of contract practice govemed\n      by the Federal Acquisition Regulation (FAR). We will provide references from the FAR and\n      from a Government Accountability Office (GAO) decision regarding similar matters that\n      demonstrate the SEC did not act improperly.\n\n      The Report\'s assertion that the Office of Administrative Services (OAS) restricted competition is\n      based on a misinterpretation of acquisition regulations, since including requirements the\n      government deemed necessary fur perfonnance ofwork does not improperly restrict competition.\n      The language ofthe solicitation was "the Contractor\'s employees shall have current (or within\n      the past 30 days) SEC clearance to minimize the amount oftime to be on site and begin work."\n      This permitted potential contractors to provide both employees who had active badges and\n      employees who had a recently expired SEC clearance, to be proposed.\n\n      The Report asserts that "OAS had already pre-selected a contractor approximately a week befure\n      the solicitation W811 publicized." During market research on projects, agencies frequently identity\n      potential offerors who should be able to perform the work. The filct that one ofthe six companies\n      identified during the market research was ultimately the only offeror on the project was not a\n      result ofpre-selection. Multiple companies often propose the same qualified individuals for\n      government projects. Further, none ofthe 33 potential vendors who received a copy ofthe RFP\n      complained that the security provision was improper.\n\n      Recommendation 1:\n\n      The Office of Information Technology (Om should review the adequacy of trained project\n      officers that are available to manage all current and anticipated projects. If it is\n      determined that sufficient qualified project officers are not available to manage all current\n      and anticipated projects, orr should remedy the situation by either providing an adequate\n\n\n                                                       2\n\n\n\n\nReview of PRISM Automated Procurement System Support Contracts                                   September 30, 2010\nReport No. 486\n                                                           21\n\x0c                                                                                              Appendix V\n\n\n\n    number of qualified personnel, or implementing an alternative proeess for eosuring\n    oversight of the projects.\n\n    The Office of Infonnation Technology (OIT) concurs with this finding and recommendation. An\n    independent consultant is assessing the OIT organization structure and staffing levels to ensure\n    we are positioned to meet the technology needs ofthe SEC. The assessment will include the\n    qualifications and assignment ofour project management staff. We will rely upon results ofthe\n    assessment to staffour project management capability to the appropriate level and skill set. A\n    significant portion ofnew positions allocated to OIT in FY 11 will be assigned as project\n    managers.\n\n    Recommendation 2:\n\n    The Office of Administrative Services should issue guidance to staff on the proper use of\n    restrictive clauses in solidtations and the prohibition on pre-selection, and require that\n    appUcBble requirements in the Federal Acquisition Regulations are foUowed.\n\n    OAS concurs with the recommendation to issue such guidance to staff. Management takes very\n    seriously the obligation ofall contracting staff to adhere to the requiremerits ofthe FAR and\n    conduct every procurement action with the utmost professionalism and integrity. This\n    recommendation restates existing regulatory requirements, since such guidance is already present\n    in the FAR, which contracting staff already are required to follow as part oftheir duties.\n\n    We strongly disagree with the finding that competition was restricted inappropriately. The\n    Report\'s statements in this finding do not align with the actual implementation ofthe\n    Competition in Contracting Act (CICA) of 1984. As implemented in FAR part 6, which sets a\n    standard of competition for federal contracts, competition standards do not require that the needs\n    ofthe agency be abandoned in order to expand competition. The statement in this Report that\n    OAS restricted competition is a misinterpretation ofacquisition regulations since including\n    requirements the government deems necessary for performance ofthe work is appropriate.\n\n    The GAO has found that the determination of a contracting agency\'s needs and the best method\n    for accommodating them is a matter primarily within the agency\'s discretion. Generally, the mct\n    that a requirement may be burdensome or even impossible for particular firms to meet does not\n    make it objectionable ifthe requirement properly reflects the agency\'s needs.\n\n    FederaI policy at FAR 11.002(a)(1)(ii) states that "agencies shall- (I) specify needs\xc2\xb7 \xe2\x80\xa2 .... The\n    determination of agency needs is within the reasonable discretion ofthe acquiring agency. Here\n    the SEC had a reasonable basis to contract with vendors who could start work immediately. The\n    Momentum Upgrade was scheduled to go live in August 2008. Because ofthe time line, it was\n\n\n                                                    3\n\n\n\n\nReview of PRISM Automated Procurement System Support Contracts                            September 30, 2010\nReport No. 486\n                                                     22\n\x0c                                                                                             Appendix V\n\n\n     important that we obtain onsite project support fur PRISM quickly. During the numerous\n     planning meetings, OIT, OFM and OAS collectively understood that the Momentum Upgrade\n     support contractors\' stay onsite was limited. A delay in project start was a significant risk since\n     the overlap with OFM contractors was key to a successful interface ofthe two sYstems, PRISM\n     and Momentum.\n\n     The work required access to sensitive SEC data and a security requirement was necessary fur\n     such access. A reasonable method for meeting this requirement, given the time delays in\n     obtaining security clearances,.was to require the presence ofa current or recent SEC security\n     clearance.\n\n     FAR 11.002 goes on to state that in specifying needs, agencies should be "using market\n     research." Here, market research indicated that six contractors with the expertise and security\n     clearances were avail.able to seek the w:ork set forth in the RFP. Given the availability ofmore\n     than one source to satisfy the stated requirement, it is incorrect to state that the security clearance\n     was restrictive. Even ifit were considered in some fashion restrictive (it did not appear so at the\n     time based on market research), the FAR goes on to state in (a)(l)(ii) that such restrictions are\n     permissible \'\'to the extent necessary to satisfy the needs of the agency" [emphasis added]. In\n     this case, the SEC\'s requirement for a security clearance relates directly to potential offerors\'\n     ability or capacity to perform the contract and to have personnel enter the SEC work site and\n     gain access to SEC computer systems, allowing them to begin work immediately upon award.\n     The awardee was required to immediately attend meetings, interview and interact with\n     government personnel as well as contractors supporting the upgrade to SEC\'s financial\n     management system, Momentum. The contract generally supported all aspects ofimplementing\n     the contract writing system and preparing to interface the two.\n\n    The requirement for a security clearance in this solicitation falls within the category of a\n    responsibility determination. One ofthe most fundamental principles of government contracting\n    is that the government may contract only with "responsible sources." Determination of\n    contractor responsibility is a business judgment made by the agency as to whether the contractor\n    can or will perform the specific requirements the government has specified. As a result, the\n    agency enjoys considerable discretion in making this decision. The requirement to assure that\n    personnel held or could quickly obtain SEC clearance is appropriate in light ofrelevant FAR\n    provisions that describe the elements bearing on determining that potential contractors are\n    responsible sources. The term "responsible source" is defined by statute and implemented into\n    regulation at FAR 9.104-1. FAR 9.104-1 (b), states the firm must "be able to comply with the\n    required or proposed delivery or performance schedule" and 9.104-3(a), states the contracting\n    officer "shall require aceeptable evidenee ofthe prospective contractor\'s ability to obtain\n    required resources," and that evidence \'\'normally consists ofa commitment or explicit\n    arrangement, that will be in existence at the time of contract award, to rent, purchase, or\n\n\n                                                        4\n\n\n\n\nReview of PRISM Automated Procurement System Support Contracts                           September 30, 2010\nReport No. 486\n                                                     23\n\x0c                                                                                           Appendix V\n\n\n     otherwise acquire the needed filcilities, equipment, other resources, or personnel [emphasis\n     added]."\n\n     The Report also quoted FAR 6.101, but improperly focused only on the first portion ofthe\n     subpart, and failed to consider FAR 6.1 01 (b) oftbat same section which clearly shows agencies\n     should use competitive procedures that "are best suited to the circumstances ofthe contract\n     action and consistent with the need to fulfill the Government requirements efficiently."\n\n     The Report states that in 2008 SEC was granting interim clearances to individuals within 7-10\n     business days but no longer than 2-3 weeks, with final clearance in 90 days. Although these\n     objectives were at times met during 2008, the office\'s perfonnance to this standard was very\n     inconsistent Instead, these timeframes more accurately reflect the office\'s current standard of\n     performance. The challenges fiIced by the SEC in processing background investigation at that\n     time were cited in an inspection conducted by OIG itselfin March of 2008 (Background\n     Investigations, Report No. 434). At that time, DIG showed that although the workload ofthe\n     branch had significantly increased, the staff resources had not, resulting in a backlog of\n     investigations amounting to hundreds ofcases. The Report stated, "Delays in processing\n     background investigations and the lack ofadherence to relevant Federal requirements negatively\n     impact the recruitment ofstaffand other temporary personnel, efficient use of contractors, and\n     securit}\' offederally controlled filcilities and Commission information systems." In addition,\n     Report No. \'434 referenced complaints by Commission officials ofsignificant delays with\n     clearances. The office was also faced with a requirement to review existing employees and\n     contractors with a deadline of October 27, 2008. Contrary to the Report, delays were still\n     occurring at the time the contracts in question were formulated and awarded. Further, the process\n     ofonboarding a contract employee involves additional time for employees to complete the\n     background forms, obtain fingerprints, and process those forms through their company. Once\n     approval is granted, the company must then negotiate a start date with the employees ,and the\n     government.\n\n     In an effort to assure broadest possible competition within the constraints ofthe needs ofthe\n     SEC, the contracting officer properly submitted a combined solicitation/synopsis to Federal\n     Business Opportunities web site in accordance with FAR 5.2. FAR 5.201 (c) establishes the\n     purpose ofthe notice as \'\'to enhance competition by identifYing contracting and subcontracting\n     opportunities." When a solicitation is issued, ifany potential offeror wishes to complain about\n     the tenns ofthe solicitation as too restrictive, there are provisions in the FAR to do so. FAR\n     33.l03(e) states that protests based on alleged improprieties in a solicitation must be filed before\n     the closing date for receipt ofproposals. The SEC received no such protest Ifcompeting offerors\n     had believed that the restriction was unnecessary to meet the schedule and requirements ofthe\n\n\n\n\n                                                      5\n\n\n\n\nReview of PRISM Automated Procurement System Support Contracts                         September 30, 2010\nReport No. 486\n                                                    24\n\x0c                                                                                                                  Appendix V\n\n\n    solicitation, each had a right to protest the SEC\'s inclusion ofthe requirement. However, none\n    did so.\n\n    The detennination ofa contracting agency\'s needs and the best method for accommodating them\n    is a matter primarily within the agency\'s discretion. The GAO decided a similar case, in which\n    prospective vendor protested a requirement that bidders have a security clearance at the.time of\n    award, and suggested instead that bidders should be permitted 90 days to obtain the clearance. In\n    that case, GAO upheld the government\'s position. The case decision is Computer Maintenance\n    Operations Services, B-255530, Feb. 23,1994.\n\n    The Report asserts that "OAS had already pre-selected a contractor approximately a week before .\n    the solicitation was publicized." This statement is incorrect and a highly speculative inference\n    from an email referenced in the Report by the auditors. The correspondence in question occurred\n    during the market research phase ofthe procurement The auditors never discussed this email\n    with its author concerning her intent.! During market research on projects, agencies :frequently\n    identify potential offerors who are expected to be able to perform the work. In fact, the winning\n    offeror was one ofsix firms identified as being capable of meeting requirements. The fact that\n    one ofthe contractors identified by OFM during the initial market research was ultimately the\n    only offeror on the project is not an indicator ofpre-selection. Anyone could propose who met\n    the requirements, and it was the vendor(s) who decided whether to propose or not. A named\n    individual need not be associated with a single contractor. It is common practice for competing\n    firms to hire staff members who have experience with agency needs. In fact, often the same\n    individual will appear as a key person on multiple contract proposals from different firms. Any\n    firm wishing to submit a proposal could, in fact, have proposed and hired any SEC employee or\n    SEC contractor who was qualified and cleared by SEC, or whose clearance had not been e:xpired\n    more than 30 days. These proposals would have been considered.\n\n    For the many reasons referenced above, OAS does not agree that this action is evidence that\n    OAS management controls are inadequate to ensure adherence to competition requirements of\n    the FAR or that there is evidence of ~selection. On the contrary, the fact that OAS attempted\n\n    1 The Report makes much of the      contracting officer\'s use ofthe common abbreviation" ie.", the Latin abbreviation\n    for id est (that is) instead of"e.g.", the Latin abbreviation for exempli gratkl (for example) in an email. In the email,\n    she \xc2\xb7identifies the name ofa cleared individual who might be proposed for program work, who later came to work\n    with the eventual successful ofBor. The Report, in our opinion, is highly speculative in concluding that the use of\n    "i.e." indicated pn>selection, for all the reuons set forth above. Use of"ie." rather than "e.g." is a common\n    gnunmatic:al error and in filct, is coDSidered one ofthe top ten errors seen in college level writing or tecbnical\n    documents. Reference, e.g., http://www.mbatutes.comltop-5-most-common-english-grammar-errors. Further, the\n    Contracting Officer was not in a position to unilaterally select the successful vendor. Evaluators would be involved\n    in analyzing proposals and generally making li recommendation as to the most highly qualified technical offer, and\n    be in a position to comment before any final aWllI\'d decision was made. A contracting officer makes her own\n    ultimate aWllI\'d decision, but in doing so, she relies on the input from the evaluation staff\'and, if she reaches a\n    different decision, documents her views and why they difler from that ofher evaluation panel.\n\n\n                                                                6\n\n\n\n\nReview of PRISM Automated Procurement System Support Contracts                                               September 30, 2010\nReport No. 486\n                                                                25\n\x0c                                                                                              Appendix V\n\n\n    to find additional sources that could perfonn the work instead ofsimply entering into a sole\n    source contract (which would have been far easier) is evidence that maximizing competition was\n    a prime consideration for the OA contracting officer. In preparing this response, we discussed the\n    issue and the email with the contracting officer and she stated she had no intent of pre-selection\n    but in fuet used competitive procedures.\n\n    Recommendation 3:\n\n    To ensure duties are segregated, the Office of Administrative Services should implement\n  . internal procedures to limit Contracting Officers from also assuming project management\n    and CoJitracting Officer\'s Technical Representative\'s responsibilities on the same project.\n\n    OAS does not concur with this recommendation. OMB Circular A-I 23 discusses the\n    management control environment and proper segregation ofduties (sepanite personnel with\n    authority to authorize a transaction, process the transaction, and review the transaction).\n    Segregation ofduties does not restrict a contracting officer from performing contracting officer\'s\n    technical representative (COTR) responsibilities. The contracting officer, who has those duties as\n    an intrinsic part ofher contracting officer\'s responsibilities, delegates COTRs responsibilities.\n    The contracting officer cannot delegate a responsibility she does not have. COTRs act for the\n    contracting officer in certain situations and perform delegated duties as necessary to administer\n    an assigned contract and support the contracting officer.\n\n    A contracting officer has express authority to enter into, administer, and terminate contracts.\n    According to SECR 10-15, the contracting officer has authority to determine what type of\n    contract administration pOsition is needed for a contract and works with program officials (in this\n    case OAS) to identifY appropriate employees for those contract administration positions; further,\n    the contracting officer appoints/designates employees to contract administration positions in\n    writing. The Report assumes that an individual other than the contracting officer would have\n    been better qualified to perform the duties often delegated to a COTR. We do not agree. There is\n    a dynamic balance between IT expertise and business process expertise when implementing IT\n    projects that support business owners. The business process requirements were critically\n    important when the system involved directly supported the acquisition business process. The\n    SEC must manage risk, since it is impossible to eliminate it, and often an agency assigns the best\n    available resource combining knowledge ofbusiness needs and IT requirements.\n\n    As the business sponsor ofthe APS project, OA recognizes that assistance with project planning\n    and coordination would have been highly desirable, and as OIT strengthens its staffing resources,\n    we agree that we will use those resources more fully as they become available. However, both\n    OA and OIT had insufficient personnel to support all projects as robustly as we might desire.\n    Management agrees that the contracting officer did not have as much time to manage this project\n\n\n                                                     7\n\n\n\n\nReview of PRISM Automated Procurement System Support Contracts                            September 30, 2010\nReport No. 486\n                                                     26\n\x0c                                                                                            Appendix V\n\n\n    optimally, and OIT had insufficient personnel resources to fully support the effort. However, the\n    business sponsor and acquisition subject matter experts needed to be substantially involved in the\n    project to ensure ONs business needs were met. The Assistant Director for OA at the time had a\n    significant role in the APS project. ht addition to his oversight and knowledge, he chaired the\n    Executive Steering Committee, briefed the htfonnation Officer\'s Council (lOC) on a quarterly\n    basis, met regularly with OIT, Office ofFinancial Management (OFM) and the contractors\n    involved in the project, and spent roughly eight to twelve hours per week working on the APS\n    project Management made the decision to optimize constrained resources by not delegating\n    COTR duties whm inadequate staffing structures existed in both offices.\n\n    The contracting officer oversaw performance and retained contract administration. This approach\n    was appropriate because OIT had limited program management resources available. PRISM is a\n    COTS product that is compliant with federal FSIO requirements, and is a tool that has been\n    successfully implemmted in many federal agencies. Given resource constraints, management\n    believes these were appropriate decisions given the conditions existing in 2008 when those\n    decisions were made; Tom King and John Pezzullo, both OIT program/project managers,\n    supported the APS project extensively by providing technical, CPIC, CMQA, and other IT\n    expertise and support. Their input and guidance were critical in terms ofmanaging the technical\n    requirements ofthe APS project. Some oftheir responsibilities in support ofthe April 2009\n    Phase I rollout included system development life cycle (SDLe) processing CCBs,\'labs,\n    documents, certification and accreditation, vulnerability testing, mitigating Plans ofAction and\n    Milestones (pOAM\xc2\xbb, technical advice, buying servers and equipment, setting up OIT required\n    environments, completing data installations, processing CCBs through SDLC and "Authorities to\n    Operate" issued after the certification and accreditation process.\n\n    During implementation, there has been significant statutory and regulatory change, internal\n    improvements within the SEC in both OA and OFM, and increasing focus on OMB A-123 and\n    A-127. Staffoffices successfully worked together as a cross-functional team consisting of\n    Federal subject matter experts and contractors in completing Phase I implementation ofPRISM\n    in April 2009. Because ofthe team\'s efforts, OA for the first time has a contract writing tool, a\n    tool that is improving the office\'s ability to more accurately manage contract activities and track\n    contract actions. Although the integration project has been delayed, Management intends to seek\n    an integrated solution as financial system solutions are implemented.\n\n    Despite non-concurrence with this finding, OIT and OAS together will continue to work to\n    strengthm the project management and COTR function at the SEC.\n\n    Recommendation 4:\n\n    The Office of Acquisitions should review existing contracts to ensure\n\n\n                                                     8\n\n\n\n\nReview of PRISM Automated Procurement System Support Contracts                          September 30, 2010\nReport No. 486\n                                                    27\n\x0c                                                                                               Appendix V\n\n\n  that Contracting Officer\'s Technical Representatives are assigned for each\n  contract as appropriate.\n\n  OAS concurs with this recommendation. While it is neither appropriate nor necessary to appoint\n  a COTR. for all existing contracts - for instance, aged contracts pending closeout. closed out\n  contracts that are being retained in accordance with records management policies, or certain\n  contracts that are not technical in nature - OA has already begun an effort to review active\n  contracts. The contracting officer will determine whether it is appropriate to appoint an\n  Inspection and Acceptance Official or a COTR. to those active contracts.\n\n  Recommendation 5:\n\n  The Office of Administrative Services (OAS), in conjunction with the Office of Financial\n  Managemen~should evaluate the reconciliation tool in order to determine, on a cost to\n  benefit basis, whether it would be feasible to correct the deficiencies noted. OAS should\n  then .decide whether the corrections should be performed by Commission personnel, or by\n  technically competent contractor personnel.\n\n  OAS concurs with this recommendation. OA and OFM have made a decision that it is not\n  feasible to correct the deficiencies in the validation report. Subsequent to the IG\'s audit, the\n  FMOC made a decision to go to a shared service provider for its financial management system.\n  That and upgrades to PRISM required to accommodate new reporting requirements warrant\n  deterring corrections to this report. This qualitative decision supersedes the need to conduct a\n  cost benefit analysis since it is inappropriate to revise a reconciliation report for the two existing\n  systems until the financial system is determined. We request this recommendation be closed.\n\n\n\n\nReview of PRISM Automated Procurement System Support Contracts                             September 30, 2010\nReport No. 486\n                                                      28\n\x0c                                                                      Appendix VI\n\n\n      OIG Response to Management\xe2\x80\x99s Comments\n\nThe Office of Inspector General is pleased that the Office of Administrative\nServices (OAS) has concurred with recommendations no. 2, 4, and 5, but are\ndisappointed in OAS\xe2\x80\x99s non-concurrence with recommendation no. 3. The\nrecommendation that OAS implement procedures to \xe2\x80\x9climit\xe2\x80\x9d contracting officers\nfrom assuming certain project management duties is a prudent and appropriate\nstep to take to ensure that Commission projects are managed more efficiently in\nthe future.\n\nWe are pleased that the Chief Operating Officer/Acting Chief Information Officer\nconcurred with recommendation no. 1, the only recommendation directed to the\nOffice of Information Technology. We believe that the independent consultant\xe2\x80\x98s\nassessment will be useful to improve the vulnerabilities and areas of concern that\nwe identified in the audit.\n\nWe believe that if all of the recommendations in this report are fully implemented,\nthe Commission\xe2\x80\x99s contract and procurement oversight will be significantly\nimproved.\n\n\n\n\nReview of PRISM Automated Procurement System Support Contracts     September 30, 2010\nReport No.486\n                                              29\n\x0c                                                                     Appendix VI\n\n\n                     Audit Requests and Ideas\n\nThe Office of Inspector General welcomes your input. If you would like to\nrequest an audit in the future or have an audit idea, please contact us at:\n\nU.S. Securities and Exchange Commission\nOffice of Inspector General\nAttn: Assistant Inspector General, Audits (Audit Request/Idea)\n100 F Street, N.E.\nWashington D.C. 20549-2736\n\nTel. #: 202-551-6061\nFax #: 202-772-9265\nEmail: oig@sec.gov\n\n\n\n\n      Hotline\n      To report fraud, waste, abuse, and mismanagement at SEC,\n      contact the Office of Inspector General at:\n\n      Phone: 877.442.0854\n\n      Web-Based Hotline Complaint Form:\n      www.reportlineweb.com/sec_oig\n\x0c'